Vulnerabilidades ICS Termómetro CCI 2021- 8

 
SEGUIR LEYENDO
Vulnerabilidades ICS Termómetro CCI 2021- 8
Vulnerabilidades
ICS Termómetro CCI
            2021- 8
Vulnerabilidades ICS Termómetro CCI 2021- 8
Tabla de contenido
Introducción .................................................................................................................................... 4
Novedades 2021 .............................................................................................................................. 4
Fabricantes y debilidades ICS ........................................................................................................... 5
Nuevos fabricantes .......................................................................................................................... 5
Nuevas debilidades.......................................................................................................................... 6
Nuevas alertas................................................................................................................................. 7
Mapa de riesgo .............................................................................................................................. 10
Cambios en el riesgo de fabricante ................................................................................................ 11
ANEXO – I: Cálculo del mapa de riesgo ........................................................................................... 12
ANEXO II – Vulnerabilidades publicadas por elNIST desde el último termómetro CCI ................ 13
ANEXO III – Vulnerabilidades del nuevo fabricante (Bosch) en 2021 ............................................... 16
Vulnerabilidades ICS Termómetro CCI 2021- 8
Profesional de la
Ciberseguridad industrial
desde hace más de diez años
en distintas empresas como
Schneider Electric, S21sec,
EY, SecurityMatters,
Forescout, Telefónica y
actualmente enTITANIUM
Industrial Security.
Miembro activo del
ecosistema del Centro de
Ciberseguridad Industrial (CCI)
desde 2013, profesional Nivel
Negro y participando como
autor y revisor de distintos
estudios y documentos
realizados por este.
Vulnerabilidades ICS Termómetro CCI 2021- 8
Introducción
Desde la publicación del cuaderno “Una década de vulnerabilidades ICS” el 4 de mayo de 2020, se han
seguido publicando nuevas vulnerabilidades sobre sistemas ICS, lo que ha hecho variar la exposición al
riesgo de los fabricantes recogidos en dicho cuaderno.

Desde el CCI queremos mantener actualizada esta información para proporcionar una visión de la
evolución de estas vulnerabilidades para que el ecosistema pueda utilizarlas cómo precise en una
publicación que denominaremos Termómetro de vulnerabilidades ICS del CCI.

En cada actualización publicaremos:

    •   Evolución del número de fabricantes de sistemas de control incluidos en el termómetro
        para elperiodo en curso
    •   Evolución de vulnerabilidades y alertas de los fabricantes de control incluidos en el termómetro
    •   El mapa de calor de exposición al riesgo de los fabricantes, actualizado a fecha de publicación.
    •   Comentarios acerca de la evolución del mapa de riesgo.

Novedades 2021
Para adaptarnos a la creciente casuística de vulnerabilidades públicas que afectan a varios fabricantes, en
el año 2021 se aplicará un nuevo criterio, publicando cada uno de los fabricantes afectados por esta única
vulnerabilidad (CVE). Para ser coherentes con este nuevo acercamiento, en 2021 hablaremos de
“Debilidades ICS” (ICS Weaknesses) para dar cabida a estas vulnerabilidades multifabricante.

                                                                                                              4
Vulnerabilidades ICS Termómetro CCI 2021- 8
Fabricantes y debilidades ICS

Nuevos fabricantes
En esta edición del termómetro CCI, se incluyen 2 nuevos fabricantes y su número pasa a 46 en 2021.

        Riesgo Bajo                 Riesgo Medio                     Riesgo Alto               Riesgo Muy Alto
             N/A                         Bosch                           N/A                        N/A
                                   Morpho (IDEMIA)

El número de fabricantes ICS monitorizados es clave para entender la volumetría de debilidades detectadas
cada año, y explica las diferencias que podemos encontrar en estudios similares realizados por otras compañías
y organizaciones, dado que el número de debilidades depende del conjunto de fabricantes contemplados.
Cómo ya expliqué en el documento que dio origen al termómetro CCI en Mayo de 2020, el conjunto de
fabricantes original fue el contemplado por el ICS-CERT, aunque a lo largo de este año y medio, este conjunto
se ha ido aumentando para tener en cuenta las soluciones más implantadas en entornos industriales del
ecosistema CCI.
Este es el caso de Bosch con 1 nueva debilidad publicada sobre sus cámaras IP. Este fabricantes ha visto
publicadas 20 debilidades en 2021, casi todas asociadas a sus soluciones de seguridad física (Cámaras IP de
vigilancia, sistemas de megafonía en red y sistemas de detección de incendios). Ver detalle en ANEXO III.
Morpho (IDEMIA) registra 3 debilidades (CVE-2021-35520, CVE-2021-35521 y CVE-2021-35522 ), siendo la
última una alerta por ser explotable en red, ser poco compleja y provocar la total indisponibilidad del
dispositivo. Las tres debilidades hacen referencia a un dispositivo de control de acceso biométrico utilizado
también en seguridad física.

                                                                                                                 5
Vulnerabilidades ICS Termómetro CCI 2021- 8
Nuevas debilidades
El número de vulnerabilidades ICS publicadas y totalmente caracterizadas por el NIST desde la última
actualización es de 75.

Hay que explicar que este inusual aumento proviene de la inclusión de Bosch como fabricante de sistemas
de control. El ICS-CERT, cuya lista de fabricantes supuso el conjunto inicial a monitorizar en el termómetro
CCI, no contempla este fabricante. Intuyo que esto es por la menor implantación en USA de sus soluciones.
Sin embargo, en Europa la situación es muy distinta y grandes fabricantes, como Phoenix Contact, utilizan
sus productos (de origen Rexroth) en sus soluciones de automatización. El impacto de su inclusión en las
cifras de 2021 es de 20 nuevas debilidades y 2 alertas.

De las 55 restantes, un único fabricante, CODESYS, acumula el 20% de este número con 11 CVEs publicadas
en Agosto. Es de destacar que a esta fecha, se han publicado más vulnerabilidades sobre sus productos (26)
que en todo el año 2020 (7). Acumula un CVSS V2 de 6.4 en los últimos 10 años.

Siemens suma otras 10 debilidades publicadas en Agosto (1 de ellas considerada alerta) y alcanza las 169
vulnerabilidades en 2021. Un mes más, sigue encabezando el mapa de exposición al riesgo.

En el caso de Mitsubishi Electric, la publicación de 6 vulnerabilidades este mes (con 2 Alertas), le coloca en la
zona de riesgo medio y ya lleva 12 debilidades publicadas en 2021 sobre sus productos.

Fatek suma otras 3 debilidades sobre su producto Automation FvDesigner, y ya acumula 12 en 2021.

Morpho (IDEMIA) también ha visto publicadas 3 debilidades (una de ellas alertas) sobre dos de sus series de
productos, lo que hace sospechar de otro caso de amplificación de vulnerabilidades por reutilización de
librerías y/o módulos.

Finalmente, el producto R-SeeNet de Advantech suma 1 debilidad (considerada Alerta) en Agosto de 2021, lo
que afecta a su exposición al riesgo cómo fabricante.

Superado el ecuador de 2021, podemos constatar que la tendencia en la investigación de debilidades en los
sistemas de control utilizados en múltiples sectores, sigue creciendo de manera sostenida.

                                                                                                                    6
Vulnerabilidades ICS Termómetro CCI 2021- 8
Nuevas alertas
Este mes, el NIST ha publicado 5 nuevas alertas de fabricante, pero la inclusión de Bosch en la lista del
termómetro, introduce dos nuevas Alertas publicadas en 2021.
(En el ANEXO III se proporciona información en detalle de todas ellas)

Recordamos que se clasifican cómo alertas dado que la explotación de la vulnerabilidad presenta una
complejidad baja, tiene cómo vector de acceso la red y puede causar una total pérdida de servicio. (Según
la clasificación CVSS V2, para permitir la clasificación histórica de debilidades en productos más antiguos).

Mitsubishi Electric ha visto publicadas 2 alertas sobre 2 de sus series de productos:

                 Mitsubishi Electric GT27                                         Mitsubishi Electric G50A

En ambos casos, el envío de paquetes IP maliciosos puede dejar el dispositivo asilado y su reconexión a la
red de control, necesitaría de un reinicio del dispositivo.

                    Date
 CVE                               CVSS     Warning   Description
                    published

CVE-2021-20592     2021-08-05       7.8               Missing synchronization vulnerability in GOT2000 series GT27 model communication
                                                      driver versions 01.19.000 through 01.39.010, GT25 model communication driver
                                                      versions 01.19.000 through 01.39.010 and GT23 model communication driver
                                                      versions 01.19.000 through 01.39.010 and GT SoftGOT2000 versions 1.170C through
                                                      1.256S allows a remote unauthenticated attacker to cause DoS condition on the
                                                      MODBUS/TCP slave communication function of the products by rapidly and
                                                      repeatedly connecting and disconnecting to and from the MODBUS/TCP
                                                      communication port on a target. Restart or reset is required to recover.

CVE-2021-20595     2021-07-13       8.5               Improper Restriction of XML External Entity Reference vulnerability in Mitsubishi
                                                      Electric Air Conditioning System/Centralized Controllers (G-50A Ver.3.35 and prior,
                                                      GB-50A Ver.3.35 and prior, GB-24A Ver.9.11 and prior, AG-150A-A Ver.3.20 and
                                                      prior, AG-150A-J Ver.3.20 and prior, GB-50ADA-A Ver.3.20 and prior, GB-50ADA-J
                                                      Ver.3.20 and prior, EB-50GU-A Ver 7.09 and prior, EB-50GU-J Ver 7.09 and prior, AE-
                                                      200A Ver 7.93 and prior, AE-200E Ver 7.93 and prior, AE-50A Ver 7.93 and prior, AE-
                                                      50E Ver 7.93 and prior, EW-50A Ver 7.93 and prior, EW-50E Ver 7.93 and prior, TE-
                                                      200A Ver 7.93 and prior, TE-50A Ver 7.93 and prior, TW-50A Ver 7.93 and prior,
                                                      CMS-RMD-J Ver.1.30 and prior), Air Conditioning System/Expansion Controllers
                                                      (PAC-YG50ECA Ver.2.20 and prior) and Air Conditioning System/BM adapter(BAC-
                                                      HD150 Ver.2.21 and prior) allows a remote unauthenticated attacker to disclose
                                                      some of data in the air conditioning system or cause a DoS condition by sending
                                                      specially crafted packets.

                                                                                                                                 7
Vulnerabilidades ICS Termómetro CCI 2021- 8
En el caso de Morpho (IDEMIA), 1 nueva alerta ha sido publicada por el NIST este mes sobre sus productos
Morpho Wave y VisionPass:

                      Morpho Wave                                                      VisionPass

Ambos sistemas proporcionan soluciones de seguridad física (Control de acceso), por lo que sería
importante su rápida actualización a versiones no vulnerables.

                     Date
 CVE                              CVSS    Warning    Description
                     published

CVE-2021-35522      2021-07-22      9.0              A Buffer Overflow in Thrift command handlers in IDEMIA Morpho Wave Compact
                                                     and VisionPass devices before 2.6.2, Sigma devices before 4.9.4, and MA VP MD
                                                     devices before 4.9.7 allows remote attackers to achieve code execution, denial of
                                                     services, and information disclosure via TCP/IP packets.

El problema está relacionado con el stack TCP/IP que ambos dispositivos utilizan.
No parece que las recomendaciones sobre evaluaciones de seguridad de los productos en la fase de diseño,
adquisición y pruebas de aceptación, esté prosperando mucho.

Advantech vuelve a sorprendernos con 1 nueva alerta sobre su producto R-SeeNet ( y ya van 5 en 2021)

                     Date
 CVE                              CVSS    Warning    Description
                     published

CVE-2021-21805      2021-08-05    10.0               An OS Command Injection vulnerability exists in the ping.php script functionality of
                                                     Advantech R-SeeNet v 2.4.12 (20.10.2020). A specially crafted HTTP request can lead
                                                     to arbitrary OS command execution. An attacker can send a crafted HTTP request to
                                                     trigger this vulnerability.

La debilidad viene motivada por la escasa verificación de los parámetros recibidos en las peticiones HTTP.
Para ser más académicos:
       CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

                                                                                                                                 8
Siemens acumula 1 nueva alerta este mes sobre su producto SINEC NMS:

                     Date
 CVE                              CVSS    Warning    Description
                     published

CVE-2021-35721      2021-08-10    9.0                A vulnerability has been identified in SINEC NMS (All versions < V1.0 SP2). The
                                                     affected application incorrectly neutralizes special elements when creating batch
                                                     operations which could lead to command injection. An authenticated remote
                                                     attacker with administrative privileges could exploit this vulnerability to execute
                                                     arbitrary code on the system with system privileges.

El problema es parecido al de la aplicación de Advantech:
       CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

                                                                                                                                   9
Mapa de riesgo
31 de Agosto de 2021

                           Circutor

                           Advantech
                             Bosch
      Digitek               Hilscher          Siemens
  Motorola Solutions   Miitsubishi Electric
     Pro-face                Moxa
  Zebra Industrial         Panasonic
                        Phoenix Contact
                       Schneider Electric

       Beckhoff
        Belden
       CODESYS
   Delta Electronics
          Digi
         Eaton
        eWON
         Fatek
      Fuji Electric         Emerson
     Hirschmann               GE
      Honeywell             Mikrotik
  Johnson Controls
       Kepware
        Omron
   PTC (ThingWorx)
       Rockwell
   Software Toolbox
    Wibu Systems
      Wind River
          ABB
        Philips
        ProSoft
      RuggedCom
        SafeNet
      SearchBlox
         Tesla
         Wago

        Aveva

                                                        10
Cambios en el riesgo de fabricante
Debido al alto número de debilidades publicadas por el NIST en Agosto sobre productos de Siemens ha
hecho que su exposición al riesgo continue en el valor Muy Alto.

Schneider Electric se vuelve a situar en la zona de riesgo Medio+ por un tema meramente estadístico
en el cálculo del mapa de riesgo.

Bosch se situa directamente en la zona de riesgo Medio+ junto con otros fabricantes (Advantech,
Hilscher, Mitsubishi Electric, Morpho, Moxa, Panasonic, Phoenix Contact y Schneider Electric).

El resto de los fabricantes mantienen su nivel en el mapa de calor cualitativo de exposición al riesgo.

                                                                                                          11
ANEXO – I: Cálculo del mapa de riesgo
Con objeto de mostrar de una manera gráfica y rápida la postura de cada fabricante en lo que se refiere al
riesgo asociado a las vulnerabilidades publicadas, he seleccionado un formato gráfico muy común en la
gestión de Riesgos: el mapa de calor.
Este diagrama presenta distintos colores para representar el riesgo asociado de manera cualitativa y en
cuatro rangos: Bajo, Medio, Alto y Muy Alto.

                                                                                                     MUY ALTO

                                                        ALTO

                                MEDIO

          BAJO

La posición de cada fabricante dentro del mapa depende de los valores obtenidos en dos parámetros
asociados con la probabilidad (Número de CVEs publicados) y el impacto de dichos CVEs (Valor medio de
CVSS).
Para cada año, se ha calculado cada uno de estos valores entre 1 y 5.
     • En el eje horizontal, se ha calculado el valor proporcional al número de CVEs publicados para
         esefabricante en un año concreto en comparación con el fabricante con mayor número de CVEs.
     • En el eje vertical se ha calculado el valor medio de CVSS de los CVEs publicados ese año y se
         hadividido entre 2.
Para intentar dar una idea más cualitativa en lo que se refiere a la postura de cada fabricante, se han
introducido dos correcciones en el cálculo:
     • Si el fabricante tiene algún CVE ese año considerado cómo Alerta (Acceso por la red,
         complejidadbaja e impacto completo en disponibilidad), se incrementa en una unidad el impacto
         (Eje vertical)y en una unidad la probabilidad (Eje horizontal). Esto se realiza para diferenciar a
         este fabricante de otros sin este tipo de CVEs y posicionarlo en una zona de mayor riesgo.
     • De la misma manera, si un fabricante tiene algún CVE ese año con un valor CVSS de 10.0, se
         incrementa en una unidad la probabilidad (Eje horizontal). Esto se realiza para diferenciar a
         estefabricante de otros sin este tipo de CVEs y posicionarlo en una zona de mayor riesgo.

Se ha estudiado mediante distintas simulaciones que estas correcciones no suponen grandes alteraciones
en la postura global del riesgo de ese fabricante y, sin embargo, presentan un diagnóstico cualitativo más
ajustado.

                                                                                                              12
ANEXO II – Vulnerabilidades publicadas por el
  NIST desde el último termómetro CCI
CVE              Date         CVSS   Warning   Description
                 published    V2
CVE-2021-31338   2021-08-19    4.6             A vulnerability has been identified in SINEMA Remote Connect Client (All versions < V3.0
                                               SP1). Affected devices allow to modify configuration settings over an unauthenticated
                                               channel. This could allow a local attacker to escalate privileges and execute own code on
                                               the device.
CVE-2021-33721   2021-08-10   9.0              A vulnerability has been identified in SINEC NMS (All versions < V1.0 SP2). The affected
                                               application incorrectly neutralizes special elements when creating batch operations which
                                               could lead to command injection. An authenticated remote attacker with administrative
                                               privileges could exploit this vulnerability to execute arbitrary code on the system with
                                               system privileges.
CVE-2021-20592   2021-08-05   7.8              Missing synchronization vulnerability in GOT2000 series GT27 model communication driver
                                               versions 01.19.000 through 01.39.010, GT25 model communication driver versions
                                               01.19.000 through 01.39.010 and GT23 model communication driver versions 01.19.000
                                               through 01.39.010 and GT SoftGOT2000 versions 1.170C through 1.256S allows a remote
                                               unauthenticated attacker to cause DoS condition on the MODBUS/TCP slave
                                               communication function of the products by rapidly and repeatedly connecting and
                                               disconnecting to and from the MODBUS/TCP communication port on a target. Restart or
                                               reset is required to recover.
CVE-2021-21805   2021-08-05   10.0             An OS Command Injection vulnerability exists in the ping.php script functionality of
                                               Advantech R-SeeNet v 2.4.12 (20.10.2020). A specially crafted HTTP request can lead to
                                               arbitrary OS command execution. An attacker can send a crafted HTTP request to trigger
                                               this vulnerability.
CVE-2021-35522   2021-07-22   9.0              A Buffer Overflow in Thrift command handlers in IDEMIA Morpho Wave Compact and
                                               VisionPass devices before 2.6.2, Sigma devices before 4.9.4, and MA VP MD devices before
                                               4.9.7 allows remote attackers to achieve code execution, denial of services, and information
                                               disclosure via TCP/IP packets.
CVE-2021-20595   2021-07-13   8.5              Improper Restriction of XML External Entity Reference vulnerability in Mitsubishi Electric Air
                                               Conditioning System/Centralized Controllers (G-50A Ver.3.35 and prior, GB-50A Ver.3.35
                                               and prior, GB-24A Ver.9.11 and prior, AG-150A-A Ver.3.20 and prior, AG-150A-J Ver.3.20
                                               and prior, GB-50ADA-A Ver.3.20 and prior, GB-50ADA-J Ver.3.20 and prior, EB-50GU-A Ver
                                               7.09 and prior, EB-50GU-J Ver 7.09 and prior, AE-200A Ver 7.93 and prior, AE-200E Ver 7.93
                                               and prior, AE-50A Ver 7.93 and prior, AE-50E Ver 7.93 and prior, EW-50A Ver 7.93 and prior,
                                               EW-50E Ver 7.93 and prior, TE-200A Ver 7.93 and prior, TE-50A Ver 7.93 and prior, TW-50A
                                               Ver 7.93 and prior, CMS-RMD-J Ver.1.30 and prior), Air Conditioning System/Expansion
                                               Controllers (PAC-YG50ECA Ver.2.20 and prior) and Air Conditioning System/BM
                                               adapter(BAC-HD150 Ver.2.21 and prior) allows a remote unauthenticated attacker to
                                               disclose some of data in the air conditioning system or cause a DoS condition by sending
                                               specially crafted packets.
CVE-2020-20221   2021-07-21   6.8              Mikrotik RouterOs before 6.44.6 (long-term tree) suffers from an uncontrolled resource
                                               consumption vulnerability in the /nova/bin/cerm process. An authenticated remote
                                               attacker can cause a Denial of Service due to overloading the systems CPU.
CVE-2021-21868   2021-08-18   6.8              An unsafe deserialization vulnerability exists in the ObjectManager.plugin
                                               Project.get_MissingTypes() functionality of CODESYS GmbH CODESYS Development System
                                               3.5.16 and 3.5.17. A specially crafted file can lead to arbitrary command execution. An
                                               attacker can provide a malicious file to trigger this vulnerability.
CVE-2021-21867   2021-08-18   6.8              An unsafe deserialization vulnerability exists in the ObjectManager.plugin
                                               ObjectStream.ProfileByteArray functionality of CODESYS GmbH CODESYS Development
                                               System 3.5.16 and 3.5.17. A specially crafted file can lead to arbitrary command execution.
                                               An attacker can provide a malicious file to trigger this vulnerability.
CVE-2021-32939   2021-08-11   6.8              FATEK Automation FvDesigner, Versions 1.5.88 and prior is vulnerable to an out-of-bounds
                                               write while processing project files, allowing an attacker to craft a project file that may
                                               permit arbitrary code execution.
CVE-2021-32947   2021-08-11   6.8              FATEK Automation FvDesigner, Versions 1.5.88 and prior is vulnerable to a stack-based
                                               buffer overflow, which may allow an attacker to execute arbitrary code.
CVE-2021-32931   2021-08-11   6.8              An uninitialized pointer in FATEK Automation FvDesigner, Versions 1.5.88 and prior may be
                                               exploited while the application is processing project files, allowing an attacker to craft a
                                               special project file that may permit arbitrary code execution.
CVE-2021-32943   2021-08-10   7.5              The affected product is vulnerable to a stack-based buffer overflow, which may allow an
                                               attacker to remotely execute arbitrary code on the WebAccess/SCADA (WebAccess/SCADA
                                               versions prior to 8.4.5, WebAccess/SCADA versions prior to 9.0.1).

                                                                                                                                                13
CVE              Date         CVSS   Warning   Description
                 published    V2
CVE-2021-37180   2021-08-10    6.8             A vulnerability has been identified in Solid Edge SE2021 (All Versions < SE2021MP7). The
                                               PSKERNEL.dll library lacks proper validation while parsing user-supplied OBJ files that could
                                               cause an out of bounds access to an uninitialized pointer. An attacker could leverage this
                                               vulnerability to execute code in the context of the current process. (ZDI-CAN-13775)
CVE-2021-37179   2021-08-10   6.8              A vulnerability has been identified in Solid Edge SE2021 (All Versions < SE2021MP7). The
                                               PSKERNEL.dll library in affected application lacks proper validation while parsing user-
                                               supplied OBJ files that could lead to a use-after-free condition. An attacker could leverage
                                               this vulnerability to execute code in the context of the current process. (ZDI-CAN-13777)
CVE-2021-37172   2021-08-10   5.0              A vulnerability has been identified in SIMATIC S7-1200 CPU family (incl. SIPLUS variants)
                                               (V4.5.0). Affected devices fail to authenticate against configured passwords when
                                               provisioned using TIA Portal V13. This could allow an attacker using TIA Portal V17 or later
                                               versions to bypass authentication and download arbitrary programs to the PLC. The
                                               vulnerability does not occur when TIA Portal V13 SP1 or any later version was used to
                                               provision the device.
CVE-2020-28397   2021-08-10   5.0              A vulnerability has been identified in SIMATIC Drive Controller family (All versions < V2.9.2),
                                               SIMATIC ET 200SP Open Controller CPU 1515SP PC2 (incl. SIPLUS variants) (All versions),
                                               SIMATIC S7 PLCSIM Advanced (All versions > V2 < V4), SIMATIC S7-1200 CPU family (incl.
                                               SIPLUS variants) (Version V4.4), SIMATIC S7-1500 CPU family (incl. related ET200 CPUs and
                                               SIPLUS variants) (All versions > V2.5 < V2.9.2), SIMATIC S7-1500 Software Controller (All
                                               versions > V2.5), TIM 1531 IRC (incl. SIPLUS NET variants) (Version V2.1). Due to an incorrect
                                               authorization check in the affected component, an attacker could extract information about
                                               access protected PLC program variables over port 102/tcp from an affected device when
                                               reading multiple attributes at once.
CVE-2021-25659   2021-08-10   5.0              A vulnerability has been identified in Automation License Manager 5 (All versions),
                                               Automation License Manager 6 (All versions < V6.0 SP9 Update 2). Sending specially crafted
                                               packets to port 4410/tcp of an affected system could lead to extensive memory being
                                               consumed and as such could cause a denial-of-service preventing legitimate users from
                                               using the system.
CVE-2021-37178   2021-08-10   4.3              A vulnerability has been identified in Solid Edge SE2021 (All Versions < SE2021MP7). An XML
                                               external entity injection vulnerability in the underlying XML parser could cause the affected
                                               application to disclose arbitrary files to remote attackers by loading a specially crafted xml
                                               file.
CVE-2021-33738   2021-08-10   4.3              A vulnerability has been identified in JT2Go (All versions < V13.2.0.2), Teamcenter
                                               Visualization (All versions < V13.2.0.2). The plmxmlAdapterSE70.dll library in affected
                                               applications lacks proper validation of user-supplied data when parsing PAR files. This could
                                               result in an out of bounds read past the end of an allocated buffer. An attacker could
                                               leverage this vulnerability to leak information in the context of the current process. (ZDI-
                                               CAN-13405)
CVE-2021-33717   2021-08-10   4.3              A vulnerability has been identified in JT2Go (All versions < V13.2.0.1), Teamcenter
                                               Visualization (All versions < V13.2.0.1). When parsing specially crafted CGM Files, a NULL
                                               pointer deference condition could cause the application to crash. The application must be
                                               restarted to restore the service. An attacker could leverage this vulnerability to cause a
                                               Denial-of-Service condition in the application.
CVE-2020-21682   2021-08-10   4.3              A global buffer overflow in the set_fill component in genge.c of fig2dev 3.2.7b allows
                                               attackers to cause a denial of service (DOS) via converting a xfig file into ge format.
CVE-2020-21681   2021-08-10   4.3              A global buffer overflow in the set_color component in genge.c of fig2dev 3.2.7b allows
                                               attackers to cause a denial of service (DOS) via converting a xfig file into ge format.
CVE-2021-22676   2021-08-10   4.3              UserExcelOut.asp within WebAccess/SCADA is vulnerable to cross-site scripting (XSS), which
                                               could allow an attacker to send malicious JavaScript code. This could result in hijacking of
                                               cookie/session tokens, redirection to a malicious webpage, and unintended browser action
                                               on the WebAccess/SCADA (WebAccess/SCADA versions prior to 8.4.5, WebAccess/SCADA
                                               versions prior to 9.0.1).
CVE-2021-22674   2021-08-10   4.0              The affected product is vulnerable to a relative path traversal condition, which may allow an
                                               attacker access to unauthorized files and directories on the WebAccess/SCADA
                                               (WebAccess/SCADA versions prior to 8.4.5, WebAccess/SCADA versions prior to 9.0.1).
CVE-2021-20597   2021-08-06   6.4              Insufficiently Protected Credentials vulnerability in Mitsubishi Electric MELSEC iQ-R series
                                               CPU modules (R08/16/32/120SFCPU all versions, R08/16/32/120PSFCPU all versions) allows
                                               a remote unauthenticated attacker to login to the target unauthorizedly by sniffing network
                                               traffic and obtaining credentials when registering user information in the target or changing
                                               a password.
CVE-2021-20598   2021-08-06   5.0              Overly Restrictive Account Lockout Mechanism vulnerability in Mitsubishi Electric MELSEC
                                               iQ-R series CPU modules (R08/16/32/120SFCPU all versions, R08/16/32/120PSFCPU all
                                               versions) allows a remote unauthenticated attacker to lockout a legitimate user by
                                               continuously trying login with incorrect password.
CVE-2021-20594   2021-08-06   5.0              Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Mitsubishi
                                               Electric MELSEC iQ-R series CPU modules (R08/16/32/120SFCPU all versions,

                                                                                                                                                 14
CVE              Date         CVSS   Warning   Description
                 published    V2
                                               R08/16/32/120PSFCPU all versions) allows a remote unauthenticated attacker to acquire
                                               legitimate user names registered in the module via brute-force attack on user names.
CVE-2021-23849   2021-08-05   6.8              A vulnerability in the web-based interface allows an unauthenticated remote attacker to
                                               trigger actions on an affected system on behalf of another user (CSRF - Cross Site Request
                                               Forgery). This requires the victim to be tricked into clicking a malicious link or opening a
                                               malicious website while being logged in into the camera.
CVE-2021-21863   2021-08-05   6.8              A unsafe deserialization vulnerability exists in the ComponentModel Profile.FromFile()
                                               functionality of CODESYS GmbH CODESYS Development System 3.5.16 and 3.5.17. A
                                               specially crafted file can lead to arbitrary command execution. An attacker can provide a
                                               malicious file to trigger this vulnerability.
CVE-2021-36764   2021-08-04   5.0              In CODESYS Gateway V3 before 3.5.17.10, there is a NULL Pointer Dereference. Crafted
                                               communication requests may cause a Null pointer dereference in the affected CODESYS
                                               products and may result in a denial-of-service condition.
CVE-2021-36765   2021-08-04   5.0              In CODESYS EtherNetIP before 4.1.0.0, specific EtherNet/IP requests may cause a null
                                               pointer dereference in the downloaded vulnerable EtherNet/IP stack that is executed by the
                                               CODESYS Control runtime system.
CVE-2021-33485   2021-08-03   7.5              CODESYS Control Runtime system before 3.5.17.10 has a Heap-based Buffer Overflow.
CVE-2021-33486   2021-08-03   5.0              All versions of the CODESYS V3 Runtime Toolkit for VxWorks from version V3.5.8.0 and
                                               before version V3.5.17.10 have Improper Handling of Exceptional Conditions.
CVE-2021-36763   2021-08-03   5.0              In CODESYS V3 web server before 3.5.17.10, files or directories are accessible to External
                                               Parties.
CVE-2021-21865   2021-08-02   6.8              A unsafe deserialization vulnerability exists in the PackageManagement.plugin
                                               ExtensionMethods.Clone() functionality of CODESYS GmbH CODESYS Development System
                                               3.5.16. A specially crafted file can lead to arbitrary command execution. An attacker can
                                               provide a malicious file to trigger this vulnerability.
CVE-2021-21866   2021-08-02   6.8              A unsafe deserialization vulnerability exists in the ObjectManager.plugin
                                               ProfileInformation.ProfileData functionality of CODESYS GmbH CODESYS Development
                                               System 3.5.16 and 3.5.17. A specially crafted file can lead to arbitrary command execution.
                                               An attacker can provide a malicious file to trigger this vulnerability.
CVE-2021-21864   2021-08-02   6.8              A unsafe deserialization vulnerability exists in the ComponentModel
                                               ComponentManager.StartupCultureSettings functionality of CODESYS GmbH CODESYS
                                               Development System 3.5.16 and 3.5.17. A specially crafted file can lead to arbitrary
                                               command execution. An attacker can provide a malicious file to trigger this vulnerability.
CVE-2021-29298   2021-07-30   2.6              Improper Input Validation in Emerson GE Automation Proficy Machine Edition v8.0 allows
                                               an attacker to cause a denial of service and application crash via crafted traffic from a Man-
                                               in-the-Middle (MITM) attack to the component "FrameworX.exe"in the module
                                               "fxVPStatcTcp.dll".
CVE-2021-29297   2021-07-30   2.6              Buffer Overflow in Emerson GE Automation Proficy Machine Edition v8.0 allows an attacker
                                               to cause a denial of service and application crash via crafted traffic from a Man-in-the-
                                               Middle (MITM) attack to the component "FrameworX.exe" in the module "MSVCR100.dll".
CVE-2020-20741   2021-07-23   7.5              Incorrect Access Control in Beckhoff Automation GmbH & Co. KG CX9020 with firmware
                                               version CX9020_CB3011_WEC7_HPS_v602_TC31_B4016.6 allows remote attackers to
                                               bypass authentication via the "CE Remote Display Tool" as it does not close the incoming
                                               connection on the Windows CE side if the credentials are incorrect.
CVE-2021-20596   2021-07-22   5.0              NULL Pointer Dereference in MELSEC-F Series FX3U-ENET firmware version 1.14 and prior,
                                               FX3U-ENET-L firmware version 1.14 and prior and FX3U-ENET-P502 firmware version 1.14
                                               and prior allows a remote unauthenticated attacker to cause a DoS condition in
                                               communication by sending specially crafted packets. Control by MELSEC-F series PLC is not
                                               affected and system reset is required for recovery.
CVE-2021-35521   2021-07-22   4.9              A path traversal in Thrift command handlers in IDEMIA Morpho Wave Compact and
                                               VisionPass devices before 2.6.2 allows remote authenticated attackers to achieve denial of
                                               services and information disclosure via TCP/IP packets.
CVE-2021-35520   2021-07-22   4.6              A Buffer Overflow in Thrift command handlers in IDEMIA Morpho Wave Compact and
                                               VisionPass devices before 2.6.2 allows physically proximate authenticated attackers to
                                               achieve code execution, denial of services, and information disclosure via serial ports.
CVE-2021-22772   2021-07-21   7.5              A CWE-306: Missing Authentication for Critical Function vulnerability exists in Easergy T200
                                               ((Modbus) SC2-04MOD-07000100 and earlier), Easergy T200 ((IEC104) SC2-04IEC-07000100
                                               and earlier), and Easergy T200 ((DNP3) SC2-04DNP-07000102 and earlier) that could cause
                                               unauthorized operation when authentication is bypassed.

                                                                                                                                                15
ANEXO III – Vulnerabilidades del nuevo
  fabricante (Bosch) en 2021
                 Date         CVSS
CVE                                  Warning   Description
                 published    V2
CVE-2021-23849   2021-08-05    6.8             A vulnerability in the web-based interface allows an unauthenticated remote attacker to
                                               trigger actions on an affected system on behalf of another user (CSRF - Cross Site Request
                                               Forgery). This requires the victim to be tricked into clicking a malicious link or opening a
                                               malicious website while being logged in into the camera.
CVE-2021-23845   2021-06-18    6.8             This vulnerability could allow an attacker to hijack a session while a user is logged in the
                                               configuration web page. This vulnerability was discovered by a security researcher in B426
                                               and found during internal product tests in B426-CN/B429-CN, and B426-M and has been
                                               fixed already starting from version 3.08 on, which was released on June 2019.
CVE-2021-23846   2021-06-18    4.3             When using http protocol, the user password is transmitted as a clear text parameter for
                                               which it is possible to be obtained by an attacker through a MITM attack. This will be fixed
                                               starting from Firmware version 3.11.5, which will be released on the 30th of June, 2021.
CVE-2021-23853   2021-06-09    7.5             In Bosch IP cameras, improper validation of the HTTP header allows an attacker to inject
                                               arbitrary HTTP headers through crafted URLs.
CVE-2021-23847   2021-06-09    6.4             A Missing Authentication in Critical Function in Bosch IP cameras allows an
                                               unauthenticated remote attacker to extract sensitive information or change settings of
                                               the camera by sending crafted requests to the device. Only devices of the CPP6, CPP7 and
                                               CPP7.3 family with firmware 7.70, 7.72, and 7.80 prior to B128 are affected by this
                                               vulnerability. Versions 7.62 or lower and INTEOX cameras are not affected.
CVE-2021-23854   2021-06-09    4.3             An error in the handling of a page parameter in Bosch IP cameras may lead to a reflected
                                               cross site scripting (XSS) in the web-based interface. This issue only affects versions 7.7x
                                               and 7.6x. All other versions are not affected.
CVE-2021-23848   2021-06-09    4.3             An error in the URL handler Bosch IP cameras may lead to a reflected cross site scripting
                                               (XSS) in the web-based interface. An attacker with knowledge of the camera address can
                                               send a crafted link to a user, which will execute javascript code in the context of the user.
CVE-2021-23852   2021-06-09    4.0             An authenticated attacker with administrator rights Bosch IP cameras can call an URL with
                                               an invalid parameter that causes the camera to become unresponsive for a few seconds
                                               and cause a Denial of Service (DoS).
CVE-2020-6790    2021-03-25    6.9             Calling an executable through an Uncontrolled Search Path Element in the Bosch Video
                                               Streaming Gateway installer up to and including version 6.45.10 potentially allows an
                                               attacker to execute arbitrary code on a victim's system. A prerequisite is that the victim is
                                               tricked into placing a malicious exe in the same directory where the installer is started
                                               from.
CVE-2020-6786    2021-03-25    6.9             Loading a DLL through an Uncontrolled Search Path Element in the Bosch Video Recording
                                               Manager installer up to and including version 3.82.0055 for 3.82, up to and including
                                               version 3.81.0064 for 3.81 and 3.71 and older potentially allows an attacker to execute
                                               arbitrary code on a victim's system. A prerequisite is that the victim is tricked into placing
                                               a malicious DLL in the same directory where the installer is started from.
CVE-2020-6785    2021-03-25    6.9             Loading a DLL through an Uncontrolled Search Path Element in Bosch BVMS and BVMS
                                               Viewer in versions 10.1.0, 10.0.1, 10.0.0 and 9.0.0 and older potentially allows an attacker
                                               to execute arbitrary code on a victim's system. This affects both the installer as well as the
                                               installed application. This also affects Bosch DIVAR IP 7000 R2, Bosch DIVAR IP all-in-one
                                               5000 and Bosch DIVAR IP all-in-one 7000 with installers and installed BVMS versions prior
                                               to BVMS 10.1.1.
CVE-2020-6787    2021-03-25    6.9             Loading a DLL through an Uncontrolled Search Path Element in the Bosch Video Client
                                               installer up to and including version 1.7.6.079 potentially allows an attacker to execute
                                               arbitrary code on a victim's system. A prerequisite is that the victim is tricked into placing
                                               a malicious DLL in the same directory where the installer is started from.
CVE-2020-6789    2021-03-25    6.9             Loading a DLL through an Uncontrolled Search Path Element in the Bosch Monitor Wall
                                               installer up to and including version 10.00.0164 potentially allows an attacker to execute
                                               arbitrary code on a victim's system. A prerequisite is that the victim is tricked into placing
                                               a malicious DLL in the same directory where the installer is started from.
CVE-2020-6771    2021-03-25    6.9             Loading a DLL through an Uncontrolled Search Path Element in Bosch IP Helper up to and
                                               including version 1.00.0008 potentially allows an attacker to execute arbitrary code on a
                                               victim's system. A prerequisite is that the victim is tricked into placing a malicious DLL in
                                               the same application directory as the portable IP Helper application.
CVE-2020-6788    2021-03-25    6.9             Loading a DLL through an Uncontrolled Search Path Element in the Bosch Configuration
                                               Manager installer up to and including version 7.21.0078 potentially allows an attacker to

                                                                                                                                                16
Date         CVSS
CVE                                  Warning   Description
                 published    V2
                                               execute arbitrary code on a victim's system. A prerequisite is that the victim is tricked into
                                               placing a malicious DLL in the same directory where the installer is started from.
CVE-2019-11684   2021-02-26   10.0             Improper Access Control in the RCP+ server of the Bosch Video Recording Manager (VRM)
                                               component allows arbitrary and unauthenticated access to a limited subset of certificates,
                                               stored in the underlying Microsoft Windows operating system. The fixed versions
                                               implement modified authentication checks. Prior releases of VRM software version 3.70
                                               are considered unaffected. This vulnerability affects VRM v3.70.x, v3.71 < v3.71.0034 and
                                               v3.81 < 3.81.0050; DIVAR IP 5000 3.80 < 3.80.0039; BVMS all versions using VRM.
CVE-2020-6780    2021-01-26    4.0             Use of Password Hash With Insufficient Computational Effort in the database of Bosch
                                               FSM-2500 server and Bosch FSM-5000 server up to and including version 5.2 allows a
                                               remote attacker with admin privileges to dump the credentials of other users and possibly
                                               recover their plain-text passwords by brute-forcing the MD5 hash.
CVE-2020-6779    2021-01-26   10.0             Use of Hard-coded Credentials in the database of Bosch FSM-2500 server and Bosch FSM-
                                               5000 server up to and including version 5.2 allows an unauthenticated remote attacker to
                                               log into the database with admin-privileges. This may result in complete compromise of
                                               the confidentiality and integrity of the stored data as well as a high availability impact on
                                               the database itself. In addition, an attacker may execute arbitrary commands on the
                                               underlying operating system.
CVE-2020-6776    2021-01-14    6.8             A vulnerability in the web-based management interface of Bosch PRAESIDEO until and
                                               including version 4.41 and Bosch PRAESENSA until and including version 1.10 allows an
                                               unauthenticated remote attacker to trigger actions on an affected system on behalf of
                                               another user (Cross-Site Request Forgery). This requires the victim to be tricked into
                                               clicking a malicious link or submitting a malicious form. A successful exploit allows the
                                               attacker to perform arbitrary actions with the privileges of the victim, e.g. creating and
                                               modifying user accounts, changing system configuration settings and cause DoS
                                               conditions. Note: For Bosch PRAESIDEO 4.31 and newer and Bosch PRAESENSA in all
                                               versions, the confidentiality impact is considered low because user credentials are not
                                               shown in the web interface.
CVE-2020-6777    2021-01-14    3.5             A vulnerability in the web-based management interface of Bosch PRAESIDEO until and
                                               including version 4.41 and Bosch PRAESENSA until and including version 1.10 allows an
                                               authenticated remote attacker with admin privileges to mount a stored Cross-Site-
                                               Scripting (XSS) attack against another user. When the victim logs into the management
                                               interface, the stored script code is executed in the context of his browser. A successful
                                               exploit would allow an attacker to interact with the management interface with the
                                               privileges of the victim. However, as the attacker already needs admin privileges, there is
                                               no additional impact on the management interface itself.

                                                                                                                                                17
También puede leer